ecryptfs-setup-private 默认使用 AES 128 位密钥。
我可以让它使用 256 位密钥(32 字节密钥长度)吗?
当然,我可以按照这里所述手动完成整个过程:https://wiki.archlinux.org/index.php/System_Encryption_with_eCryptfs#Setup_.28in_detail.29
但我希望能够方便地使用 ecryptfs 的易于使用的工具,但同时又使用更强大的加密密钥。
我尝试修改 /usr/bin/ecryptfs-setup-private(将里面的 KEYBYTES="16" 改为 KEYBYTES="32"),但是创建 Private/.Private 目录的过程将会失败。
答案1
简短的回答是“不”。当我写ecryptfs-设置-私有,我选择了一组默认值加密文件系统我认为这对于数百万 Ubuntu 用户来说是合理、安全且可支持的,因为从长远来看,这些用户并不太关心可调参数。这限制了我们必须测试和支持的配置组合的数量。
正如你所注意到的,如果你读过文档并手动挂载,而 Ubuntu 加密私人/家庭功能在任何地方都有一组一致的选项。
此外,布鲁斯·施奈尔建议不要使用 AES256,支持 AES128:
对于新应用程序,我建议人们不要使用 AES-256。AES-128 在可预见的未来提供了足够的安全保障。
答案2
嗯,长答案可能是“是的,但要注意失去与 16 字节编码目录的兼容性”。
针对最近的 ecryptfs-utils-104 源应用以下补丁应该可以完成这项工作 - 但是,它只是将硬编码值更改为 32,而没有选择的可能性。但如果它对某些人有用:
diff -ruN ecryptfs-utils-104/README ecryptfs-utils-104-32byte/README
--- ecryptfs-utils-104/README 2014-01-23 19:09:48.000000000 +0100
+++ ecryptfs-utils-104-32byte/README 2015-01-23 05:43:43.206773596 +0100
@@ -278,13 +278,13 @@
You should get something like this:
---
-/secret /secret ecryptfs rw,ecryptfs_sig=deadbeefdeadbeef,ecryptfs_key_bytes=16,ecryptfs_cipher=aes 0 0
+/secret /secret ecryptfs rw,ecryptfs_sig=deadbeefdeadbeef,ecryptfs_key_bytes=32,ecryptfs_cipher=aes 0 0
---
Add ``user'' and ``noauto'' to the mount options:
---
-/secret /secret ecryptfs user,noauto,rw,ecryptfs_sig=deadbeefdeadbeef,ecryptfs_key_bytes=16,ecryptfs_cipher=aes 0 0
+/secret /secret ecryptfs user,noauto,rw,ecryptfs_sig=deadbeefdeadbeef,ecryptfs_key_bytes=32,ecryptfs_cipher=aes 0 0
---
Append your edited line to your /etc/fstab file. Now it's time to test
diff -ruN ecryptfs-utils-104/doc/manpage/mount.ecryptfs_private.1 ecryptfs-utils-104-32byte/doc/manpage/mount.ecryptfs_private.1
--- ecryptfs-utils-104/doc/manpage/mount.ecryptfs_private.1 2014-01-23 19:09:48.000000000 +0100
+++ ecryptfs-utils-104-32byte/doc/manpage/mount.ecryptfs_private.1 2015-01-23 05:43:43.206773596 +0100
@@ -29,7 +29,7 @@
- mount SOURCE onto DESTINATION
- as an ecryptfs filesystem
- using the AES cipher
- - with a key length of 16 bytes
+ - with a key length of 32 bytes
- using the passphrase whose signature is in ~/.ecryptfs/Private.sig
The only setuid operation in this program is the call to \fBmount\fP(8) or \fBumount\fP(8).
diff -ruN ecryptfs-utils-104/src/include/ecryptfs.h ecryptfs-utils-104-32byte/src/include/ecryptfs.h
--- ecryptfs-utils-104/src/include/ecryptfs.h 2014-01-23 19:09:48.000000000 +0100
+++ ecryptfs-utils-104-32byte/src/include/ecryptfs.h 2015-01-23 05:43:43.207773542 +0100
@@ -144,7 +144,7 @@
#define ECRYPTFS_ECHO_OFF 0
#define ECRYPTFS_AES_BLOCK_SIZE 16
-#define ECRYPTFS_AES_KEY_BYTES 16
+#define ECRYPTFS_AES_KEY_BYTES 32
#define ECRYPTFS_DEFAULT_WRAPPED_PASSPHRASE_FILENAME "wrapped-passphrase"
diff -ruN ecryptfs-utils-104/src/utils/ecryptfs-recover-private ecryptfs-utils-104-32byte/src/utils/ecryptfs-recover-private
--- ecryptfs-utils-104/src/utils/ecryptfs-recover-private 2014-01-23 19:09:48.000000000 +0100
+++ ecryptfs-utils-104-32byte/src/utils/ecryptfs-recover-private 2015-01-23 05:43:43.207773542 +0100
@@ -101,12 +101,12 @@
1)
mount_sig=$(echo "$sigs" | head -n1)
fnek_sig=
- mount_opts="$opts,ecryptfs_sig=$mount_sig,ecryptfs_cipher=aes,ecryptfs_key_bytes=16"
+ mount_opts="$opts,ecryptfs_sig=$mount_sig,ecryptfs_cipher=aes,ecryptfs_key_bytes=32"
;;
2)
mount_sig=$(echo "$sigs" | head -n1)
fnek_sig=$(echo "$sigs" | tail -n1)
- mount_opts="$opts,ecryptfs_sig=$mount_sig,ecryptfs_fnek_sig=$fnek_sig,ecryptfs_cipher=aes,ecryptfs_key_bytes=16"
+ mount_opts="$opts,ecryptfs_sig=$mount_sig,ecryptfs_fnek_sig=$fnek_sig,ecryptfs_cipher=aes,ecryptfs_key_bytes=32"
;;
*)
continue
diff -ruN ecryptfs-utils-104/src/utils/ecryptfs-setup-private ecryptfs-utils-104-32byte/src/utils/ecryptfs-setup-private
--- ecryptfs-utils-104/src/utils/ecryptfs-setup-private 2014-01-23 19:09:48.000000000 +0100
+++ ecryptfs-utils-104-32byte/src/utils/ecryptfs-setup-private 2015-01-23 05:43:43.208773488 +0100
@@ -13,7 +13,8 @@
TEXTDOMAIN="ecryptfs-utils"
MESSAGE="$(gettext 'Enter your login passphrase')"
CIPHER="aes"
-KEYBYTES="16"
+KEYBYTES="32"
+SIGBYTES="16"
FNEK=
# Zero out user-defined GREP_OPTIONS, such as --line-number
@@ -97,7 +98,8 @@
bytes=$1
# Pull $1 of random data from /dev/urandom,
# and convert to a string of hex digits
- od -x -N $bytes --width=$bytes /dev/urandom | head -n 1 | sed "s/^0000000//" | sed "s/\s*//g"
+ # od -x -N $bytes --width=$bytes /dev/urandom | head -n 1 | sed "s/^0000000//" | sed "s/\s*//g"
+ dd if=/dev/urandom bs=$[$bytes*3/2] count=1 status=none | base64
}
filename_encryption_available() {
@@ -393,7 +395,7 @@
error "$(gettext 'Could not add passphrase to the current keyring')"
fi
sig=`echo "$response" | grep "Inserted auth tok" | sed "s/^.*\[//" | sed "s/\].*$//"`
-if ! echo "$sig" | egrep -qs "^[0-9a-fA-F]{$KEYBYTES,$KEYBYTES}$"; then
+if ! echo "$sig" | egrep -qs "^[0-9a-fA-F]{$SIGBYTES,$SIGBYTES}$"; then
error "$(gettext 'Could not obtain the key signature')"
fi
temp=`mktemp`
diff -ruN ecryptfs-utils-104/src/utils/mount.ecryptfs_private.c ecryptfs-utils-104-32byte/src/utils/mount.ecryptfs_private.c
--- ecryptfs-utils-104/src/utils/mount.ecryptfs_private.c 2014-01-23 19:09:48.000000000 +0100
+++ ecryptfs-utils-104-32byte/src/utils/mount.ecryptfs_private.c 2015-01-23 05:43:43.208773488 +0100
@@ -47,7 +47,8 @@
* by the system administrator (or user?) at run time. For now, these are set
* to reasonable values to reduce the burden of input validation.
*/
-#define KEY_BYTES 16
+#define SIG_BYTES 16
+#define KEY_BYTES 32
#define KEY_CIPHER "aes"
#define FSTYPE "ecryptfs"
#define TMP "/dev/shm"
@@ -159,13 +160,13 @@
sig[0] = NULL;
sig[1] = NULL;
for (i=0; i<2; i++) {
- if ((sig[i] = (char *)malloc(KEY_BYTES*sizeof(char)+2)) == NULL) {
+ if ((sig[i] = (char *)malloc(SIG_BYTES*sizeof(char)+2)) == NULL) {
perror("malloc");
goto err;
}
- memset(sig[i], '\0', KEY_BYTES+2);
- /* Read KEY_BYTES characters from line */
- if (fgets(sig[i], KEY_BYTES+2, fh) == NULL) {
+ memset(sig[i], '\0', SIG_BYTES+2);
+ /* Read SIG_BYTES characters from line */
+ if (fgets(sig[i], SIG_BYTES+2, fh) == NULL) {
if (i == 0) {
fputs("Missing file encryption signature", stderr);
goto err;
@@ -187,7 +188,7 @@
sig[i][j] = '\0';
}
}
- if (strlen(sig[i]) > 0 && strlen(sig[i]) != KEY_BYTES) {
+ if (strlen(sig[i]) > 0 && strlen(sig[i]) != SIG_BYTES) {
fputs("Invalid hex signature length\n", stderr);
goto err;
}
@@ -489,7 +490,7 @@
* - mounts ~/.Private onto ~/Private
* - as an ecryptfs filesystem
* - using the AES cipher
- * - with a key length of 16 bytes
+ * - with a key length of 32 bytes
* - and using the signature defined in ~/.ecryptfs/Private.sig
* - ONLY IF the user
* - has the signature's key in his keyring
diff -ruN ecryptfs-utils-104/tests/lib/etl_funcs.sh ecryptfs-utils-104-32byte/tests/lib/etl_funcs.sh
--- ecryptfs-utils-104/tests/lib/etl_funcs.sh 2014-01-23 19:09:48.000000000 +0100
+++ ecryptfs-utils-104-32byte/tests/lib/etl_funcs.sh 2015-01-23 05:43:43.209773433 +0100
@@ -32,7 +32,7 @@
default_ext2_opts="user_xattr,acl"
default_ext3_opts="user_xattr,acl,commit=600,barrier=1,data=ordered"
default_btrfs_opts="nodatacow"
-default_mount_opts="rw,relatime,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_sig=\${ETL_FEKEK_SIG}"
+default_mount_opts="rw,relatime,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_sig=\${ETL_FEKEK_SIG}"
default_fne_mount_opts="${default_mount_opts},ecryptfs_fnek_sig=\${ETL_FNEK_SIG}"
答案3
我在谷歌搜索时遇到了这个老问题。为什么不直接使用以下命令呢?
sudo mount -i -t ecryptfs [私有目录] [挂载点] \ -o ecryptfs_sig=[你的签名],ecryptfs_fnek_sig=[你的签名],\ ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_unlink_sigs